It is intended to keep session content rather than session object.
So, there is a bug in the spec.
I have filed issue
http://java.net/jira/browse/SERVLET_SPEC-47
to track this.
Concerning the new API Request.changeSessionId(), the implementation of
Request.login() can invoke Request.changeSessionId() if it is necessary.
Thanks.
Shing Wai Chan
On 10/4/12 8:54 PM, Jan Bartel wrote:
> Hi,
>
> The 3.0 Spec sec 13.10 Login and Logout, page 145 says:
>
> "If a developer creates a session while a user is not authenticated,
> and the container then
> authenticates the user, the session visible to developer code after
> login must be the
> same session object that was created prior to login occurring so that
> there is no loss
> of session information."
>
> Does that mean that if a session exists before a user called
> Request.login(), the container cannot implement session fixation
> prevention and change the session id automatically? If
> changing the session id is actually permitted, should the above clause
> be taken to mean that the object must actually the one and the same?
> Ie that sessionPrev == sessionNew ?
>
> Alternatively is the container not permitted to implement automatic
> session fixation prevention, and callers of Request.login() must
> explicitly call Request.changeSessionId()?
>
> Jan